Skip to content

feature: add server random and master key fetch api#523

Closed
theweakgod wants to merge 1 commit intoopenresty:masterfrom
theweakgod:master
Closed

feature: add server random and master key fetch api#523
theweakgod wants to merge 1 commit intoopenresty:masterfrom
theweakgod:master

Conversation

@theweakgod
Copy link
Copy Markdown
Contributor

@theweakgod theweakgod commented Mar 16, 2026

What

Add two new FFI-based Lua APIs to the ngx.ssl module:

  • get_server_random([outlen]) — returns the server random (default 32 bytes) from the current SSL connection, wrapping OpenSSL's SSL_get_server_random().
  • get_session_master_key([outlen]) — returns the master secret (default 48 bytes, i.e. SSL_MAX_MASTER_KEY_LENGTH) from the current SSL session, wrapping OpenSSL's SSL_SESSION_get_master_key().

Both follow the same calling convention as the existing get_client_random(): pass 0 to get the length, pass nil or omit to get the value with the default size.

Why

The ngx.ssl module already exposes get_client_random(), but server random and master key are missing. All three are required to produce an NSS Key Log entry:

CLIENT_RANDOM <client_random_hex> <master_key_hex>

This file format is supported by Wireshark for decrypting TLS 1.2 traffic captures. Without this PR, users have to resort to LD_PRELOAD hacks, eBPF tools, or NGINX Plus (ssl_key_log / proxy_ssl_key_log directives) to obtain the same data.

Usage

local ssl = require "ngx.ssl"
 
local cr = ssl.get_client_random()   -- 32 bytes raw
local sr = ssl.get_server_random()   -- 32 bytes raw
local mk = ssl.get_session_master_key() -- 48 bytes raw

Produce a Wireshark-compatible key log line:

local to_hex = require "resty.string".to_hex
local line = "CLIENT_RANDOM " .. to_hex(cr) .. " " .. to_hex(mk) .. "\n"

@theweakgod theweakgod changed the title feat: add server random and master key fetch api draft: add server random and master key fetch api Mar 16, 2026
@theweakgod theweakgod changed the title draft: add server random and master key fetch api feature: add server random and master key fetch api Mar 16, 2026
@theweakgod theweakgod marked this pull request as draft March 16, 2026 15:16
@theweakgod theweakgod marked this pull request as ready for review March 22, 2026 05:53
@theweakgod theweakgod force-pushed the master branch 2 times, most recently from ec6bd55 to cc810be Compare March 22, 2026 06:54
@theweakgod theweakgod marked this pull request as draft March 22, 2026 07:10
@theweakgod theweakgod marked this pull request as ready for review March 22, 2026 07:10
@theweakgod theweakgod force-pushed the master branch 6 times, most recently from 79bb140 to 95b12ac Compare March 23, 2026 11:59
@theweakgod theweakgod closed this Mar 23, 2026
@theweakgod theweakgod reopened this Mar 23, 2026
@theweakgod theweakgod force-pushed the master branch 3 times, most recently from c3c81b3 to 3b41bef Compare March 23, 2026 12:57
@zhuizhuhaomeng
Copy link
Copy Markdown
Contributor

zhuizhuhaomeng commented Mar 24, 2026

This feature has been merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhuizhuhaomeng zhuizhuhaomeng zhuizhuhaomeng approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theweakgod @zhuizhuhaomeng